And/or trade-off in artificial neurons: impact on adversarial robustness

Neural networks reached around 2013 human-level performance in image classification tasks, giving rise to the phenomenon of deep learning as we know it today. But accuracy is not everything, and researchers started to wonder how robust these models are, how much neural networks really "understand" and what they actually "see". In an attempt to (also) answer this question, (Szegedy et al., 2013) described two interesting aspects of deep neural networks. The first aspect concerned the way in which networks store information, but it was the second aspect which immediately attracted the attention of the scientific community: given a correctly classified image, it is possible to add artificially crafted noise imperceptible to the human eye, to create a second image which is very likely to be misclassified. This problem is intertwined to that of understanding how information is encoded in neural networks (Samek et al., 2017). In supervised learning guided by stochastic gradient descent (SGD), the features encoded in hidden neurons are learned as a byproduct of the reduction of the classification error in the output layer. The statistical properties of features encoded by intermediate neurons remain poorly understood, as well as their contribution to the classification performance of the network. In recent years, the topic of adversarial examples has grown to become a field in its own right, that is currently witnessing an arms race in which the attackers are ahead: for every defence proposed, new ways to get around it and new attacks are invented on a weekly basis (Yuan et al., 2018).